ColdFusion hack used to steal hosting provider’s customer data

Linode hit by possible zero-day exploit patched by Adobe on April 9.

A vulnerability in the ColdFusion Web server platform, reported by Adobe less than a week ago, has apparently been in the wild for almost a month and has allowed the hacking of at least one company website, exposing customer data. Yesterday, it was revealed that the virtual server hosting company Linode had been the victim of a multi-day breach that allowed hackers to gain access to customer records.

The breach was made possible by a vulnerability in Adobe's ColdFusion server platform that could, according to Adobe, "be exploited to impersonate an authenticated user." A patch had been issued for the vulnerability on April 9 and was rated as priority "2" and "important." Those ratings placed it at a step down from the most critical, indicating that there were no known exploits at the time the patch was issued but that data was at risk. Adobe credited "an anonymous security researcher," with discovering the vulnerability.

But according to IRC conversation including one of the alleged hackers of the site, Linode's site had been compromised for weeks before its discovery. That revelation leaves open the possibility that other ColdFusion sites have been compromised as hackers sought out targets to use the exploit on.

ColdFusion is a Java-based Web server platform that interprets its own proprietary markup language in page code to access server-side application components and data. It has had a large installed base in the government sector and other markets, but its market share has been in decline for some time, and the technology has seen little change since 2009. In 2011, Adobe announced it was moving the whole of ColdFusion development to India.

The element attacked is its user authentication component, cflogin. In March, a ColdFusion user reported encountering errors in cflogin he believed were because of attempted hack attacks. "I've now seen cflogin throw an error twice now with bad input at—I believe—the cookie level," he reported to Adobe's bug tracker.

By exploiting the login vulnerability, the hackers were able to gain access to the Linode server itself and to the site's code. Through the code, they were able to obtain the login credentials to Linode's database and stole customer data that included hashed passwords, encrypted credit card data, and the unencrypted last four digits of credit cards used for verification purposes. Customer keys for Linode's deployment and management APIs were also exposed.

Linode has expired those keys and is re-issuing them. Linode representatives said in a blog post that it has "no evidence decrypted credit card numbers were obtained" and added that the encryption key for credit card data was not stored on the server and was "not guessable, sufficiently long and complex, not based on dictionary words, and not stored anywhere but in our heads."

Ars has contacted Linode for comment on the breach, but a spokesperson said it may be several days before the company will respond with further information.

That's a shame. I really do like Linode as a service. Their VPS's are really reasonably priced and have been rock solid (in a year, they've gone down once).

While they do have good service and support, they certainly don't have close to the cheapest prices, they are probably 3x more expensive than the cheaper options out there, but there's not many better options if you need excellent customer support and reliability.

Linode administrators have discovered and blocked suspicious activity on the Linode network. This activity appears to have been a coordinated attempt to access the account of one of our customers. This customer is aware of this activity and we have determined its extent and impact. We have found no evidence that any Linode data of any other customer was accessed. In addition, we have found no evidence that payment information of any customer was accessed.

(Continued...)

This was the only email with respect to this incident I received. They specifically mention that there was "no evidence" found to indicate that payment information was stolen. I don't think a blog post qualifies as due diligence on their part.

From the IRC logs, "ryan," who claims to represent the hacking group responsible for this attack, indicates that they were working with Linode to keep the situation quiet and that this recent information release was in response to Linode contacting law enforcement. Whether this is true or not is debatable. I sincerely hope it is not.

Linode has been a great service for many years. Their VPS solutions are top-notch and these incidents can happen to the best. However I am very interested in watching this situation develop.

Yes, I and my client got the email about needed to reset passwords and did so. The client whose (encrypted) credit card is on file with Linode has now also been notified via that rather more circuitous route of my reading about the stolen database here and emailing the client a summary.

A "you must reset your password" message is a very different concern from "your encrypted credit card and other information has been stolen" situation. Notification of the first does not remove the need to notify about the second.

Yes, I and my client got the email about needed to reset passwords and did so. The client whose (encrypted) credit card is on file with Linode has now also been notified via that rather more circuitous route of my reading about the stolen database here and emailing the client a summary.

A "you must reset your password" message is a very different concern from "your encrypted credit card and other information has been stolen" situation. Notification of the first does not remove the need to notify about the second.

Yes, agreed. As you point out, encrypted credit card information was stolen, which the original email said nothing about. I thought you meant any kind of notification at all, which did go out. But I agree, for customers with credit card data and other types of data which was stolen, they should have notified them directly as well.

According to "ryan" on the irc logs, they have the encrypted CC data as well as the private/public keys used for encryption, which he said were stored in the same directory. This is pretty scary if true, Linode really should confirm if this really was the case.

I'm a ColdFusion developer and I was surprised to see this. I didn't know anybody else worked in ColdFusion.

I still have to touch CF occasionally. My employer has a client approval website that auto generates approval pages based off the files that are in the directory, and every once in a while that script needs to be updated.

I'm a ColdFusion developer and I was surprised to see this. I didn't know anybody else worked in ColdFusion.

Trust me, neither did anyone else. I thought ColdFusion was a dead language only supported by a few straggling sites. Guess I was wrong. I thought the only players really in contention right now were PHP (what I program in), C#.NET, Ruby, and Java (by a long shot).

I use Linode and have been very happy with them. I just hope they can upgrade their systems to use something a bit better, more modern. I guess even the best can get stuck in legacy technology **sighs**.

That's a shame. I really do like Linode as a service. Their VPS's are really reasonably priced and have been rock solid (in a year, they've gone down once).

While they do have good service and support, they certainly don't have close to the cheapest prices, they are probably 3x more expensive than the cheaper options out there, but there's not many better options if you need excellent customer support and reliability.

I have done a lot of shopping around and for unmanaged VPS hosting I haven't really found anything more affordable. I do agree they have great support and up-time. They also have very fast environments. I have no complaints.

Regarding Linode's use of ColdFusion: The company has been around for a decade. A decade ago, ColdFusion wasn't an unusual choice. as for ripping out and replacing it at aome point in the intervening decade: that could be a risky, expensive choice. There is a reason we have legacy systems: they are paid for and they work.

Linode is misleading and outright lying to its customers with this announcement; if they truly were using PKI encryption for CC#s, either the key material or the passphrase was cached in memory (likely to be the case, given, for instance, that cards are charged immediately upon purchase of new Linodes in existing accounts). The exploit completely bypassed the PKI encryption anyhow, according to the hacking group.

Regardless, if you are a Linode customer and have not requested new cards to replace those associated with your account there, do so ASAP.

ColdFusion has a decent install base of just over 1% of all web sites. Not a ton of market share whatsoever, but still a sizeable install base. Note usage is slowly falling as well, however it's certainly still in use.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.